P
US9967283B2ActiveUtilityPatentIndex 94

Normalized indications of compromise

Assignee: SOPHOS LTDPriority: Sep 14, 2014Filed: Sep 14, 2014Granted: May 8, 2018
Est. expirySep 14, 2034(~8.2 yrs left)· nominal 20-yr term from priority
Inventors:RAY KENNETH DCOOK ROBERT WTHOMAS ANDREW JSAMOSSEIKO DMITRIHARRIS MARK D
H04L 63/0263H04L 63/20H04L 63/1416
94
PatentIndex Score
37
Cited by
20
References
20
Claims

Abstract

Threat detection instrumentation is simplified by providing and updating labels for computing objects in a context-sensitive manner. This may include simple labeling schemes to distinguish between objects, e.g., trusted untrusted processes or corporate private data. This may also include more granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game), static threat detection attributes (e.g., signatures, hashes, API calls), and explicit identification (e.g., what a file or process calls itself). By tracking such data for various computing objects and correlating these labels to malware occurrences, rules can be written for distribution to endpoints to facilitate threat detection based on, e.g., interactions of labeled objects, changes to object labels, and so forth. In this manner, threat detection based on complex interactions of computing objects can be characterized in a platform independent manner and pre-processed on endpoints without requiring significant communications overhead with a remote threat management facility.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 detecting an action on an endpoint; 
 normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action; 
 creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection; 
 collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform; and 
 applying a rule to identify a reportable event based on the plurality of observations and the relationship. 
 
     
     
       2. The method of  claim 1  wherein the relationship among at least two of the plurality of observations is defined by a first normalized action associated with a first object and a second object that receives the first normalized action. 
     
     
       3. The method of  claim 2  wherein the second object includes one or more additional normalized actions each having an additional object thereof. 
     
     
       4. The method of  claim 1  wherein one of the plurality of observations has a time-to-live that provides an amount of time after which the one of the plurality of observations expires. 
     
     
       5. The method of  claim 1  wherein the observation includes one or more other normalized actions each having a child object depending therefrom. 
     
     
       6. The method of  claim 1  wherein the object includes a normalized object expressed in a manner independent from the hardware and software of the endpoint. 
     
     
       7. The method of  claim 1  wherein the descriptor includes a reputation of the object. 
     
     
       8. The method of  claim 1  wherein the descriptor includes static threat detection data for the object. 
     
     
       9. The method of  claim 8  wherein the static threat detection data includes one or more of a hash of the object, a signature of the object, and a file size of the object. 
     
     
       10. The method of  claim 8  wherein the static threat detection data includes a reference to a data repository of threat detection information. 
     
     
       11. The method of  claim 10  wherein the data repository is on the endpoint. 
     
     
       12. The method of  claim 10  wherein the data repository is outside of the endpoint. 
     
     
       13. The method of  claim 1  wherein at least one of the descriptor or the first identifier of the object includes a name of the object as provided by the object. 
     
     
       14. The method of  claim 1  wherein the object includes one or more of a process, a function, an executable, a dynamic linked library, a script, a file, a data structure, a URL, and data. 
     
     
       15. A computer program product comprising a non-transitory computer readable medium bearing computer executable code that, when executing on one or more computing devices, performs the steps of:
 detecting an action on an endpoint; 
 normalizing the action into a normalized action expressed independently from a hardware and software platform of the endpoint, thereby providing a normalized action; 
 creating an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of an object associated with the action, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection; 
 collecting a plurality of observations for the endpoint and a relationship among the plurality of observations, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity than provided by the hardware and software platform of the endpoint, the greater granularity including at least one attribute provided by a source other than the hardware and software platform: and 
 applying a rule to identify a reportable event based on the plurality of observations and the relationship. 
 
     
     
       16. The computer program product of  claim 15  wherein the relationship among at least two of the plurality of observations is defined by a first normalized action associated with a first object and a second object that receives the first normalized action. 
     
     
       17. The computer program product of  claim 16  wherein the second object includes one or more additional normalized actions each having an additional object thereof. 
     
     
       18. The computer program product of  claim 15  wherein one of the plurality of observations has a time-to-live that provides an amount of time after which the one of the plurality of observations expires. 
     
     
       19. The computer program product of  claim 15  wherein the observation includes one or more other normalized actions each having a child object depending therefrom. 
     
     
       20. A system comprising:
 a threat management facility configured to manage threats to an enterprise; and 
 an endpoint of the enterprise having a processor and a memory, the memory storing an object associated with an action, and the processor configured to detect the action, to normalize the action into a normalized action expressed independently from a hardware and software platform of the endpoint thereby providing a normalized action, to create an observation for the normalized action using a predetermined schema that organizes the observation into a first identifier of the object, a second identifier of the normalized action, and one or more descriptors that characterize the observation with information selected for relevance to threat detection, to collect a plurality of observations for the endpoint and a relationship among the plurality of observations, and to apply a rule to identify a reportable event based on the plurality of observations and the relationship, wherein one of the observations includes a refined normalized description of an object that categorizes a corresponding object with greater granularity including at least one attribute provided by a source other than the hardware and software platform.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.